Mailman Cross-Site Scripting and Weak Password Generation

Description:

A vulnerability and a weakness have been reported in Mailman, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially brute force a user's password.

1) Input is not properly sanitised by "scripts/driver" when returning error pages. This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of a vulnerable site by tricking a user into visiting a malicious web site or follow a specially crafted link.

2) A weakness in the algorithm of the automatic password generation causes only about five million different passwords to be generated. This makes it easier to brute force automatically generated passwords.

Solution:

Zugriff:
Die ganze Welt

1) Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities.
2) Choose a strong password for subscriptions, instead of letting Mailman generate one.